Today we've added a new feature to the latest version of our API called Hash-based Message Authentication Code or appreviated HMAC which makes it possible for you to verify our JSON payloads by hashing them and then comparing the resultant hash to the one supplied by us in a new header alongside our API results.
Below is how the shared key appears within the customer dashboard, to use this feature you would visit your dashboard and copy your unique HMAC key to your software and then perform a SHA-256 hash against our JSON payloads while using this shared key.
The new header where our hashes will be available is called http_x_signature and you'll only find it presented in our API results if you're making your query via TLS (HTTPS) and have visited your dashboard since this feature was added so that you can retrieve your unique HMAC key.
Whilst we are confident that none of our results are manipulated on route to you when using our encrypted TLS endpoint this expands upon that security for those with an elevated threat model.
That's the update for today, we will be updating our official PHP library to take advantage of this feature in the near future.